Bug 1219964 (CVE-2024-0793) - VUL-0: CVE-2024-0793: kubernetes,kubernetes1.18,kubernetes1.23,kubernetes1.24,kubernetes1.25,kubernetes1.26,kubernetes1.27,kubernetes1.28: kube-controller-manager: malformed HPA v1 manifest causes crash
Summary: VUL-0: CVE-2024-0793: kubernetes,kubernetes1.18,kubernetes1.23,kubernetes1.24...
Status: RESOLVED FIXED
Alias: CVE-2024-0793
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/394199/
Whiteboard: CVSSv3.1:SUSE:CVE-2024-0793:4.4:(AV:L...
Keywords:
Depends on:
Blocks:
 
Reported: 2024-02-15 12:37 UTC by SMASH SMASH
Modified: 2024-04-29 03:35 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description SMASH SMASH 2024-02-15 12:37:53 UTC 
The problem in particular is with the annotation "autoscaling.alpha.kubernetes.io/behavior" when it doesn't have a definition for scaling up, The cluster accepts the manifest but it seems that it fills with "nil" the scale up portion and it causes the kube-controller-manager pods to crash and go into crashloopbackoff.

The logs of the kube-controller-manager component show an error referencing invalid memory address or nil pointer dereference which causes the pod to die.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-0793
https://bugzilla.redhat.com/show_bug.cgi?id=2214402
Comment 2 Priyanka Saggu 2024-02-15 13:10:44 UTC 
jfyi, we only ship kubernetes client packages as part of SUSE SLE service packs.

None of the Kubernetes server side component packages (like controller-manager) are shipped.

> No useful info find, only a redhat bugzilla entry

I'll also keep an eye on any fixes/workaround from the upstream project, and will accordingly include them in factory packages.
Comment 7 Maintenance Automation 2024-04-08 16:30:07 UTC 
SUSE-SU-2024:1166-1: An update that solves one vulnerability can now be installed.

Category: security (moderate)
Bug References: 1219964
CVE References: CVE-2024-0793
Maintenance Incident: [SUSE:Maintenance:32856](https://smelt.suse.de/incident/32856/)
Sources used:
openSUSE Leap 15.4 (src):
 kubernetes1.26-1.26.14-150400.9.6.1
openSUSE Leap 15.5 (src):
 kubernetes1.26-1.26.14-150400.9.6.1
Containers Module 15-SP5 (src):
 kubernetes1.26-1.26.14-150400.9.6.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 8 Maintenance Automation 2024-04-08 16:30:10 UTC 
SUSE-SU-2024:1165-1: An update that solves one vulnerability and has one security fix can now be installed.

Category: security (moderate)
Bug References: 1062303, 1219964
CVE References: CVE-2024-0793
Maintenance Incident: [SUSE:Maintenance:32857](https://smelt.suse.de/incident/32857/)
Sources used:
Containers Module 15-SP5 (src):
 kubernetes1.25-1.25.16-150400.9.6.1
openSUSE Leap 15.4 (src):
 kubernetes1.25-1.25.16-150400.9.6.1
openSUSE Leap 15.5 (src):
 kubernetes1.25-1.25.16-150400.9.6.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 9 Maintenance Automation 2024-04-08 16:30:12 UTC 
SUSE-SU-2024:1164-1: An update that solves one vulnerability can now be installed.

Category: security (moderate)
Bug References: 1219964
CVE References: CVE-2024-0793
Maintenance Incident: [SUSE:Maintenance:32854](https://smelt.suse.de/incident/32854/)
Sources used:
openSUSE Leap 15.5 (src):
 kubernetes1.24-1.24.17-150500.3.13.1
Containers Module 15-SP5 (src):
 kubernetes1.24-1.24.17-150500.3.13.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 10 Maintenance Automation 2024-04-08 16:30:14 UTC 
SUSE-SU-2024:1163-1: An update that solves one vulnerability can now be installed.

Category: security (moderate)
Bug References: 1219964
CVE References: CVE-2024-0793
Maintenance Incident: [SUSE:Maintenance:32853](https://smelt.suse.de/incident/32853/)
Sources used:
openSUSE Leap 15.5 (src):
 kubernetes1.23-1.23.17-150500.3.9.1
Containers Module 15-SP5 (src):
 kubernetes1.23-1.23.17-150500.3.9.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.